Zeus Botnets Are Taken Down by Unique Team

BALTIMORE — The NACHA session opened with dramatic video. Microsoft lawyers accompanied by U.S. marshals swooped into a characterless office building in Scranton, Pa., where they proceeded to seize computers that had been used to host giant botnet networks of zombie computers that–unbeknownst to their owners–were under the control of the so-called Zeus virus.

This was reality. A network that had controlled around 3.5 million computers–spitting out literally hundreds of millions of phishing and spam emails daily–had been dealt a crippling blow by an effort that brought together Microsoft, NACHA, the Financial Services-Information Sharing and Analysis Center (FS-ISAC) and the U.S. government.

A lot was at stake in this late March raid.

“Our objective was to help retain confidence in electronic payments,” said Janet Estep, CEO of NACHA. A prime and continuing consumer worry with online and mobile banking is over security issues and Zeus, the principal piece of malware causing disruption in financial channels, emerged as the natural target of this collaborative effort.

“Our goal was to disrupt the Zeus criminals,” said Richard Boscovich, a senior attorney at Microsoft who created much of the legal strategy behind this unusual private- and public-sector collaboration. Pivotal to the strategy was Microsoft’s contention, accepted by federal judges, that the Zeus botnet fell under the Racketeering Influenced and Corrupt Organizations statute, which let Microsoft and other private-sector parties pursue civil remedies under RICO. “We knew we could take out the botnet. The question was, could we do it legally? We found the way to do that,” said Boscovich.

Microsoft of course also had unique skin in the game because only computers running Windows are known to be vulnerable to Zeus malware, which lets a third party take control of a computer without the owner having any knowledge this has occurred. The malware does not run on Apple, Linux or Chrome OS machines.

Microsoft also played a wild card in that it knew its free HotMail product was widely used by botnet spammers, and it invoked its terms of service, which let it legally look deeply into any violations it uncovered. This also let Microsoft delve into traffic patterns and sources of the spam. “Microsoft is in a unique position because of the Hotmail [terms of service],” said Boscovich.

What good could one raid do? Estep said that after the raid instances of phishing emails that fraudulently used NACHA logos dropped by 90%.

“After the raid,” added Boscovich, “26% of Zeus botnets were under Microsoft control.” Due to legal complexities and cross-border issues, Microsoft has not communicated with the owners of the infected computers. It hopes to work with Internet service providers to communicate to their customers with infected computers.

Don’t think this raid puts Zeus criminals out of business. There remain many millions more infected machines that continue to operate under the command and control of remote criminals. But, said Boscovich, “we are raising their costs of doing business. They will need more sophisticated coding. It will take them more time.”

“This was a disruption, not a complete kill,” admitted Boscovich.

But he left little doubt that Microsoft has an appetite for still more direct assaults on criminal networks. “Next time our approach will be different still,” said Boscovich.